Gentoo Development Guide

PAX-UTILS.ECLASS

NAME

DESCRIPTION

This eclass provides support for manipulating PaX markings on ELF binaries,
whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
deciding which to use depending on what's installed on the build host, and
whether we're working with PT_PAX, XATTR_PAX or both.

To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
to contain either "PT", "XT" or "none". The default is to attempt both
PT_PAX and XATTR_PAX.

Default flags are 'PeMRS', which are the most restrictive settings. Refer
to http://pax.grsecurity.net/ for details on what these flags are all about.

Please confirm any relaxation of restrictions with the Gentoo Hardened team.
Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
the bug report.

Return value: Shell true if we succeed, shell false otherwise

list-paxables <files>

Print to stdout all of the <files> that are suitable to have PaX flag
markings, i.e., filter out the ELF executables or shared objects from a list
of files. This is useful for passing wild-card lists to pax-mark, although
in general it is preferable for ebuilds to list precisely which ELFS are to
be marked. Often not all the ELF installed by a package need remarking.

Return value: Subset of <files> which are ELF executables or shared objects

host-is-pax

This is intended for use where the build process must be modified conditionally
depending on whether the host is PaX enabled or not. It is not indented to
determine whether the final binaries need PaX markings. Note: if procfs is
not mounted on /proc, this returns shell false (e.g. Gentoo/FreeBSD).